0

I plan to rent and setup a vServer with Debian xor CentOS. I know from my host, that the vServers are virtualized with linux-vserver.

Assume there is a lighthttpd and some mail transfer agent running and we have to assure that if the lighthttpd will be hacked, the stored e-mails are not readable easily.

For me, this sounds impossible but may I missed something or at least you guys can validate the impossibility... :)

I think basically there are three obvious approaches.

The first is to encrypt all the data. Nevertheless, the server would have to store the key somewhere so an attacker (w|c)ould figure that out.

Secondly one could isolate the critical services like lighthttpd. Since I am not allowed to do 'mknod' or remount /dev in a linux-vserver, it is not possible to setup a nested vServer with lxc or similar techniques.

The last approach would be to do a chroot but I am not sure if it would provide enough security. Further I have not tried yet, if I am able to do a chroot in a linux-vserver...?

Thanks in advance!

lukas
  • 1

4 Answers4

0

It is not trivially possible to totally separate lighty and the mta if they run in the same OS/process space. You could of course try to prevent lighty to read the mail via filesystem permissions, but I guess that is not what you have in mind. Encrypting the data is no option, the MTA will have to read it; if someone breaks in via lighttpd, they can probably get root, too, as there have been (and will be) numerous local root exploits for linux lately.

I'd recommend setting up the MTA on the box and additionally setting up virtualization for the webservice. Or even nicer: put both services in in VMs: even if the MTA gets hacked (which is not totally unlikely, see the exim remote root vulnerability), your webservice is still ok.

BTW: You can easily break out of a chroot, if you get root privileges.

Craig
  • 570
  • 4
  • 13
  • Yeah, putting both services into VM's is what I wanted to do first...until I recognized that I can't virtualize inside a virtualized OS. :( May I will have a closer look an AppArmor and SELinux then...Thanks! – lukas Jan 31 '11 at 14:52
0

"Divide et impera" is usually the answer. Chroot is rather a weak tool comparing to such a solution as OpenVZ, but there's http://grsecurity.net/ as well (yeah, both of them need you to modify the kernel). Other names to mention is AppArmor and SELinux. These are quite often met since there are valuable distromakers behind'em.

poige
  • 9,448
  • 2
  • 25
  • 52
0

Since it remains impossible to virtualize in this environment, I kept on searching and found an acceptably way of isolating the services. I would appreciate if you comment your doubts, if any. I know that chroot is not a perfect jail but it should be OK.

  1. chroot the web & database server (using jailkit to reduce pain)
  2. for every chroot'ed service, do not run the master process as root (like explained here for apache)

Regards.

lukas
  • 1
0

(This is a late answer, I know.)

On Ubuntu (and probably Debian), the Postfix package installed from apt automatically runs it with chroot.
On most of my servers, I just run Apache and MySQL as a user besides root (that is the default on Ubuntu).

If you watch your filesystem permissions, that should be all you need.

yakatz
  • 1,213
  • 4
  • 12
  • 35